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00001-0436 



Declaration and Power of Attorney For Patent Application 

English Language Declaration 



As a below named inventor, I hereby declare that: 

My residence, post office address and citizenship are as stated below next to my name, 

I believe I am the original, first and sole inventor (if only one name is listed below) or an original, 

first and joint inventor (if plural names are listed below) of the subject matter which is claimed and for 

which a patent is sought on the invention entitled 

KEY AGREEMENT & TRANSPORT PROTOCOL 

the specification of which 

(check one) 

□ is attached hereto. 

IS was filed on March 8, 2002 as United States Application No. or PCT International 

Application Number 10/092,972 

and was amended on 



I hereby state that I have reviewed and understand the contents of the above identified specification, 
including the claims, as amended by any amendment referred to above. 

I acknowledge the duty to disclose to the United States Patent and Trademark Office all information 
known to me to be material to patentability as defined in Title 37, Code of Federal Regulations, 
Section 1.56. 

I hereby claim foreign priority benefits under Title 35, United States Code, Section 119(a)-(d) or 
Section 365(b) of any foreign application(s) for patent or inventor's certificate, or Section 365(a) of 
any PCT International application which designated at least one country other than the United States, 
listed below and have also identified below, by checking the box, any foreign application for patent or 
inventor's certificate or PCT International application having a filing date before that of the application 
on which priority is claimed. 

Prior Foreign Application(s) Priority Not Claimed 



(if applicable) 



□ 



(Number) 



(Country) 



(Day/Month/Year Filed) 



□ 



(Number) 



(Country) 



(Day/Month/Year Filed) 



□ 



(Number) 



(Country) 



(Day/Month/Year Filed) 
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;l hereby claim the benefit under 35 U.S.C. Section 119(e) of any United States provisional 
application(s) listed below: 



(Application Serial No.) 


(Filing Date) 


(Application Serial No.) 


(Filing Date) 


(Application Serial No.) 


(Filing Date) 



I hereby claim the benefit under 35 U. S. C. Section 120 of any United States application(s), or 
Section 365(c) of any PCT International application designating the United States, listed below and, 
insofar as the subject matter of each of the claims of this application is not disclosed in the prior 
United States or PCT International application in the manner provided by the first paragraph of 35 
U.S.C. Section 112, I acknowledge the duty to disclose to the United States Patent and Trademark 
Office all information known to me to be material to patentability as defined in Title 37, C. F. R., 
Section 1.56 which became available between the filing date of the prior application and the national 
or PCT International filing date of this application: 



08/426,090 April 21, 1995 



(Application Serial No.) 


(Filing Date) 


(Status) 




(patented, pending, abandoned) 


(Application Serial No.) 


(Filing Date) 


(Status) 




(patented, pending, abandoned) 


(Application Serial No.) 


(Filing Date) 


(Status) 




(patented, pending, abandoned) 



I hereby declare that all statements made herein of my own knowledge are true and that all 
statements made on information and belief are believed to be true; and further that these statements 
were made with the knowledge that willful false statements and the like so made are punishable by 
fine or imprisonment, or both, under Section 1001 of Title 18 of the United States Code and that such 
willful false statements may jeopardize the validity of the application or any patent issued thereon. 
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POWER OF ATTORNEY: As a named inventor, I hereby appoint the following attorney(s) and/or 
- , agent(s) to prosecute this application and transact all business in the Patent and Trademark Office 
connected therewith, (list name and registration number) 
Orange & Chari (Customer No. 27155) 



Send Correspondence to: John RS - 0ran 2 e 

Orange & Chari 
Suite 4900, P.O. Box 190 
Toronto, Ontario M5K 1H6, CANADA 

Direct Telephone Calls to: (name and telephone number) 
John R.S. Orange (416) 601-8440 



Full name of sole or first inventor 
VANSTONE, Scott A. 




Residence 

10140 Pineview Trail, P.O. Box 490, Campbellville, Ontario LOP 1B0, CANADA 

Citizenship 
Canadian 



Post Office Address 
Same As Above 



Full name of second inventor, if any 
MENEZES, Alfred J. 



Second inventor's signature Date 

OUlW TrW ^r . Tone s. aoo^ 

Residence 

1302-226 7 Lakeshore Blvd. West, Toronto, Ontario M8V 3X2, CANADA 

Citizenship 
Canadian 

Post Office Address 
Same As Above 
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Full name of third inventor, if any 




QU, Minghua 




Third inventor's signature 


Date 


Residence 




5495 Middlebury Drive, Mississauga, Ontario L5M 5G7 CANADA 




Citizenship 




Indian 




Post Office Address 




Same As Above 







Full name of fourth inventor, if any 
STRUIK, Rene 



Fourth inventor's signature <T7> Date 

Residence 

34 Northumberland St., Toronto, Ontario M6H 1R1, CANADA 

Citizenship 
Dutch 



Post Office Address 
Same As Above 



Full name of fifth inventor, if any 



Fifth inventor's signature Date 



Residence 



Citizenship 



Post Office Address 



Full name of sixth inventor, if any 



Sixth inventor's signature Date 



Residence 



Citizenship 



Post Office Address 
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Orange & Chari 

Patent & Trademark Agents 

John R.S. Orange 

Direct Dial: (416)601-8446 

jorange@orpat.com 

BY REGISTERED MAIL & COURIER 

November 26, 2002 

Our File: 00001-0436 

Minghua Qu 
5495 Middlebury Drive 
Mississauga ON 
L5M 5G7 

Dear Minghua: 

Re: United States Patent Application No. 10/092,972 

For: Key Agreement & Transport Protocol 

Applicant: VANSTONE et al. 

Further to our conversation with you on November 11, 2002, regarding the signature of the 
Declaration and Power of Attorney documents, we have filed a petition to the Patent Office to 
allow the application to proceed. In the petition, we outlined the attempts we made to obtain your 
signature. 

To avoid the necessity of relying on this procedure in the US Patent Office we would ask you to 
reconsider signing the documents. If you wish to I will explain the documents to you or to a 
person designated by you and the procedure to be followed if we do not obtain your signature. 
Therefore, I am enclosing a copy of the Application, a Declaration and Power of Attorney 
document for your signature. For your convenience, we have enclosed a pre-addressed envelope 
for returning the documents to us C.O.D. Should you decide not to sign these documents, please 
let us know by fax or mail. 

This request is made pursuant to the Assignment of parent case US Application No. 08/426,090 
that you executed on June 20, 1995 wherein you agreed to execute any and all required 
documentation for pursuing patent protection for the related technology. 

We will of course reimburse you for any out of pocket expenses associated with responding to 
this letter. 

Please feel free to call me if you have any questions. 
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Suite 49UD, P.O. Box 190 

Toronto Dominion Bank Tower, 66 Wellington Street West 
Toronto, Ontario M5K 1 H6, Canada 
Tel: (416)601-8440 Fax: (416)601-8454 



Quality Assured Firm- ISO 9001:2000 



Yours very truly, 
Orange & Chari 




John R.S. Orange 
JRO/AS/mh 
Encl. 




CANADA 



TO ALL WHOM THESE 



PRESENTS 



PROVINCE OF ONTARIO 



MAY COME, BE SEEN OR KNOWN 



TO WIT: 



I, DAVID GORDON ALLSE3ROOK, a Notary Public in and for 



the Province of Ontario, by Royal Authority duly appointed, 
residing at the City of Toronto in said Province, DO CERTIFY AND 
ATTEST that the paper-writing hereto annexed is a true copy of a 
document produced and shown to me and purporting to be a copy of 
an Assignment from Scott Vanstone, Alfred John Menezes and 
Minghua Qu to Cryptech Systems Inc. dated June 19, 1995, the said 
copy having been compared by me with the said original 
Assignment, an act whereof being requested I have granted under 
my Notarial Form and Seal of Office to serve and avail as 
occasion shall or may require. 

IN TESTIMONY WHEREOF I have hereto subscribed my name 
and affixed my Notarial Seal of Office at Toronto this / / ^ day 
of April, 1996 



DAVID GORDON ALLSEBROOK 



ASSIGNMENT 



TO WHOM IT MAY CONCERN: 

For the sum of One Dollar and other valuable consideration to us in hand paid/receipt 
of which is hereby acknowledged, be it known that we, Scott Vanstone of 539 Sandbrook 
Court, Waterloo, Ontario, N2T 2H4, Canada; Alfred John Menezes of 254 Payne Street, 
Auburn, Alabama 36830 and Mingua Qu of 157 University Avenue West, #1 12, Waterloo. 
Ontario, N2L 3E5, Canada, have sold, assigned and transferred and by these presents do sell, 
assign, transfer and set over unto Cryptech Systems Inc., Ontario corporation, 
with a place of business at 200 Matheson Boulevard West, Mississauga, Ontario, L5R 3L7. 
Canada, its successors, legal representatives, or assigns, the whole right, title and interest in 
and to a certain invention relating to an KEY AGREEMENT AND TRANSPORT 
PROTOCOL by us devised and the application for United States Patent therefor executed by 
us and filed in the United States Patent and Trademark Office on April 21, 1995, Serial 
No. 08/426,090, and all original and reissue patents granted thereof, and all divisions and 
continuations thereof, including the subject matter of any and all claims which may be 
obtained in every such patent, and all foreign rights to said invention, and covenant that we 
have full right to do so, and agree that we will communicate to said corporation or its 
representatives all facts known to us respecting said invention, whenever requested, and testify 
in any legal proceedings, sign all lawful papers, make all rightful oaths and generally do 

\rose\cl ientXsimmcW.ass 



everything possible to aid said corporation, it successors, assigns, and nominees, to obtain and 
enforce proper patent protection for said invention in all countries. 

The Commissioner of Patents and Trademarks is requested to issue the Letters Patent 
which may be granted for said invention or any part thereof unto the said corporation in 
keeping with this Assignment. 



Date: 




Scott Vanstone 



Date: / \ q 



Date: •• . ' L0 , (<*q«r 



(WITNESS) 







Alfred John Meriezes 




(WITNESS) 



Mtftgua Qu 

(WITNESS) ^ 
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1 KEY AGREEMENT AND TRANSPORT PROTOCOL 

2 This application is a continuation-in-part of United States Application 

3 No. 08/426,090. 

4 The present invention relates to key agreement protocols for transfer and 

5 authentication of encryption keys. 

6 To retain privacy during the exchange of information it is well known 

7 to encrypt data using a key. The key must be chosen so that the correspondents are 

8 able to encrypt and decrypt messages but such that an interceptor cannot determine the 

9 contents of the message. 

io In a secret key cryptographic protocol, the correspondents share a 

n common key that is secret to them. This requires the key to be agreed upon between 

12 the correspondents and for provision to be made to maintain the secrecy of the key 

13 and provide for change of the key should the underlying security be compromised. 

14 Public key cryptographic protocols were first proposed in 1976 by 

15 Diffie-Hellman and utilized a public key made available to all potential 

16 correspondents and a private key known only to the intended recipient. The public 

17 and private keys are related such that a message encrypted with the public key of a 

18 recipient can be readily decrypted with the private key but the private key cannot be 

19 derived from the knowledge of the plaintext, ciphertext and public key. 

20 Key establishment is the process by which two (or more) parties 

21 establish a shared secret key, called the session key. The session key is subsequently 

22 used to achieve some cryptographic goal, such as privacy. There are two kinds of key 
2 3 agreement protocol; key transport protocols in which a key is created by one party and 
24 securely transmitted to the second party; and key agreement protocols, in which both 

2 5 parties contribute information which jointly establish the shared secret key. The 

2 6 number of message exchanges required between the parties is called the number of 

2 7 passes. A key establishment protocol is said to provide implicit key authentication (or 

2 8 simply key authentication) if one party is assured that no other party aside from a 

2 9 specially identified second party may learn the value of the session key. The property 

3 0 of implicit key authentication does not necessarily mean that the second party actually 
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1 possesses the session key. A key establishment protocol is said to provide key 

2 confirmation if one party is assured that a specially identified second party actually 

3 has possession of a particular session key. If the authentication is provided to both 

4 parties involved in the protocol, then the key authentication is said to be mutual if 

5 provided to only one party, the authentication is said to be unilateral. 

6 There are various prior proposals which claim to provide implicit key 

7 authentication. 

8 Examples include the Nyberg-Rueppel one-pass protocol and the 

9 Matsumoto-Takashima-Imai (MTI) and the Goss and Yacobi two-pass protocols for 
10 key agreement. 

n The prior proposals ensure that transmissions between correspondents 

12 to establish a common key are secure and that an interloper cannot retrieve the session 

13 key and decrypt the ciphertext. In this way security for sensitive transactions such as 

14 transfer of funds is provided. 

15 For example, the MTI/AO key agreement protocol establishes a shared 

16 secret K, known to the two correspondents, in the following manner:- 

17 1 . During initial, one-time setup, key generation and publication is 

is undertaken^ sheeting and publishing an appropriate system prime p and generator 

19 in a manner guaranteeing authenticity. Correspondent A selects as a long-term private 

20 key a random integer "a",l<a<p-2, and computes a long-term public key za = aa mod 

21 p. B generates analogous keys b, zb. A and B have access to authenticated copies of 

22 each other's long-term public key. 



2 3 2. The protocol requires the exchange of the following messages. 

24 A-»B:ot x modp(l) 

25 A <- B: a y mod p (2) 

2 6 The values of x and y remain secure during such transmissions as it is 

27 impractical to determine the exponent even when the value of a and the 

2 8 exponentiation is known provided of course that p is chosen sufficiently large. 

2 9 3. To implement the protocol the following steps are performed each time 

3 0 a shared key is required. 
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1 (a) A chooses a random integer x,l<x<p-2, and sends B message 

2 (1) i.e. ot x mod p. 

3 (b) B chooses a random integer y,l<y<p-2, and sends A message 

4 (2) i.e. <* y mod p. 

5 (c) A computes the key K = (<* y ) a ZB* mod p. 

6 (d) B computes the key K = (<* x ) b ZA y mod p. 

7 (e) Both share the key K - a bx+ay . 

8 

9 In order to compute the key K, A must use his secret key a and the 



10 random integer x, both of which are known only to him. Similarly B must use her 

1 i secret key b and random integer y to compute the session key K. Provided the secret 

12 keys a,b remain uncompromised, an interloper cannot generate a session key identical 

13 to the other correspondent. Accordingly, any ciphertext will not be decipherable by 

14 both correspondents. 

15 As such this and related protocols have been considered satisfactory for 

16 key establishment and resistant to conventional eavesdropping or man-in-the-middle 

17 attacks. 

18 In some circumstances it may be advantageous for an adversary to 

19 mislead one correspondent as to the true identity of the other correspondent. 

20 In such an attack an active adversary or interloper E modifies messages 

21 exchanged between A and B, with the result that B believes that he shares a key K 

22 with E while A believes that she shares the same key K with B. Even though E does 

2 3 not learn the value of K the misinformation as to the identity of the correspondents 
2 4 may be useful. 

2 5 A practical scenario where such an attack may be launched 

2 6 successfully is the following. Suppose that B is a bank branch and A is an account 

2 7 holder. Certificates are issued by the bank headquarters and within the certificate is 

2 8 the account information of the holder. Suppose that the protocol for electronic deposit 
29 of funds is to exchange a key with a bank branch via a mutually authenticated key 

3 0 agreement. Once B has authenticated the transmitting entity, encrypted funds are 



1 deposited to the account number in the certificate. If no further authentication is done 

2 in the encrypted deposit message (which might be the case to save bandwidth) then 

3 the deposit will be made to E f s account. 

4 It is therefore an object of the present invention to provide a protocol in 

5 which the above disadvantages are obviated or mitigated. 

6 According therefore to the present invention there is provided a method 

7 of authenticating a pair of correspondents A,B to permit exchange of information 

8 therebetween, each of said correspondents having a respective private key a,b and a 

9 public key Pa,Pb derived from a generator a and respective ones of said private keys 

10 a,b, said method including the steps of 

11 i) a first of said correspondents A selecting a first random integer x and 

12 exponentiating a function f(a) including said generator to a power g (x) to provide a 

13 first exponentiated function f(a) g(x) ; 

14 ii) said first correspondent A forwarding to a second correspondent B a message 

15 including said first exponentiated function f(a) 8(x) ; 

16 iii) said correspondent B selecting a second random integer y and exponentiating a 

17 function f (a) including said generator to a power g (y) to provide a second 
is exponentiated function f(a) 8(y) ; 

19 iv) said second correspondent B constructing a session key K from information 

20 made public by said first correspondent A and information that is private to said 

21 second correspondent B, said session key also being constructible by said first 

22 correspondent A for information made public by B and information that is private to 

23 said first correspondent A; 

24 v) said second correspondent B generating a value h of a function F[6,K] 

25 where F[d,K] denotes a cryptographic function applied conjointly to 5 and K and 

2 6 where 6 is a subset of the public information provided by B thereby to bind the values 

27 of 6 and K; 

2 8 vi) said second of said correspondents B forwarding a message to said first 

29 correspondent A including said second exponential function f(a) 8(y) and said value h 

3 0 of said cryptographic function F[5,K]; 




1 vii) said first correspondent receiving said message and computing a session key 

2 K f from information made public by said second correspondent B and private to said 

3 first correspondent A; 

4 viii) said first correspondent A computing a value h f of a cryptographic function 

5 h,h' F[6,K f ]; and 

6 ix) comparing said values obtained from said cryptographic functions F to 

7 confirm their correspondence. 

8 As the session key K can only be generated using information that is 

9 private to either A or B, the binding of K with 6 with the cryptographic function h 

10 prevents E from extracting K or interjecting a new value function that will correspond 

n to that obtained by A. 

12 Embodiments of the invention will now be described by way of 

13 example only with reference to the accompanying drawings in which. 

14 Figure 1 is a schematic representation of a data communication system. 

15 Figures 2 through 7 are schematic representations of implementations 

16 of different protocols. 

17 Referring therefore to Figure 1, a pair of correspondents, 10,12, 

18 denoted as correspondent A and correspondent B, exchange information over a 

19 communication channel 14. A cryptographic unit 16,18 is interposed between each of 

20 the correspondents 10,12 and the channel 14. A key 20 is associated with each of the 

21 cryptographic units 16,18 to convert plaintext carried between each unit 16,18 and its 

22 respective correspondent 10,12 into ciphertext carried on the channel 14. 

2 3 In operation, a message generated by correspondent A, 10, is encrypted 

24 by the unit 16 with the key 20 and transmitted as ciphertext over channel 14 to the 

2 5 unit 18. 

26 The key 20 operates upon the ciphertext in the unit 18 to generate a 

27 plaintext message for the correspondent B, 12. Provided the keys 20 correspond, the 

2 8 message received by the correspondent 12 will be that sent by the correspondent 10. 
29 In order for the system shown in Figure 1 to operate it is necessary for 

3 0 the keys 20 to be identical and therefore a key agreement protocol is established that 
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1 allows the transfer of information in a public manner to establish the identical keys. A 

2 number of protocols are available for such key generation and embodiments of the 

3 present invention will be described below in the context of modifications of existing 

4 protocols. 

5 A commonly used set of protocols are collectively known as the 

6 Matsumoto-Takashima-Imai or M MTI" key agreement protocols, and are variants of 

7 the Diffie-Hellman key exchange. Their purpose is for parties A and B to establish a 

8 secret session key K. 

9 The system parameters for these protocols are a prime number p and a 
io generator a of the multiplicative group 

n . Correspondent A has private key a and public key pa = Qa . Correspondent B has 

12 private key b and public key pb = ab . In all four protocols exemplified below, textA 

13 refers to a string of information that identifies party A. If the other correspondent B 

14 possesses an authentic copy of correspondent A's public key, then textA will contain 
is A's public-key certificate, issued by a trusted center; correspondent B can use his 

16 authentic copy of the trusted center's public key to verify correspondent A's certificate, 

17 hence obtaining an authentic copy of correspondent A's public key. 

18 In each example below it is assumed that an interloper E wishes to 

19 have messages from A identified as having originated from E herself. To accomplish 

20 this, E selects a random integer e, l<e<p-2, computes PE=(PA) e=aae mod p, and gets 

2 1 this certified as her public key. E does not know the exponent ae, although she knows 

22 e. By substituting textE for textA, the correspondent B will assume that the message 

23 originates from E rather than A and use E's public key to generate the session key K. 

24 E also intercepts the message from B and uses his secret random integer e to modify 
2 5 its contents. A will then use that information to generate the same session key 

2 6 allowing A to communicate with B. 

2 7 The present invention is exemplified by modifications to 4 of the 

2 8 family of MTI protocols which foil this new attack thereby achieving the desired 

2 9 property of mutual implicit authentication. In the modified protocols exemplified 

30 below F(X,Y) denotes a cryptographic function applied to a string derived from x and 



1 y. Typically and as exemplified a hash function, such as the NIST "Secure Hash 

2 Algorithm"(SHA-l), is applied to the string obtained by concatenating X and Y but it 

3 will be understood that other cryptographic functions may be used. 

4 Example 1 - MTI/AO protocol 

5 The existing protocol operates as follows:- 

6 1 . Correspondent A generates a random integer 

7 x, l<x<p-2, computes a x , and sends {a x ,text A } to party B. 

8 2. Correspondent B generates a random integer 

9 y, l<y<p-2, computes <* y , and sends {ct y ,textB} to party A. 
10 3 . Correspondent A computes K = (<* y ) a (p B ) x = a ay+bx . 

n 4. Correspondent B computes K = (a x ) b (pA> y = a ay+bx . 

12 

13 A common key K is thus obtained. However, with this arrangement, 

14 interloper E may have messages generated by correspondent A identified as having 
is originated from E in the following manner. 

16 I. E intercepts A's message {a x ,textA} and replaces it with {a x ,textE}. 

17 The provision of the message texte identifies the message as having originated at E. 

18 2. B sends {<* y ,textB} to E, who then forwards {( ay ) e ,textB} to A. Since A 

19 receives textB, he assumes the message originates at B and, as he does not know the 

20 value of y, assumes that ct ye is valid information. 

21 3. A computes K = (a ey ) a (p B ) x = a aey+bx . 

22 4. B computes K = (a x ) b (p E ) y = <* aey+bx . 

2 3 5. A and B now share the key K, even though B believes he shares a key 

24 with E. 

25 

26 Accordingly any further transactions from A to B will be considered by 

27 B to have originated at E. B will act accordingly crediting instruction to E. Even 

2 8 though the interloper E does not learn the value of the session key K nevertheless the 

2 9 assumption that the message originates at E may be valuable and achieve the desired 

30 effect. 
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1 To avoid this problem, the protocol is modified as follows:- 

2 1. A generates a random integer x,l<x<p-2, computes a x , and sends 

3 {a x ,text A } to party B. 

4 2. B generates a random integer y,l<y<p-2, and computes a y , K 

5 =( aX ) b (PA) y==aay+bx , and a value h of cryptographic hash function F(a y ,a ay+bx ) which is a 

6 function of public information 6 and the key K. B sends {a y ,h,textB} to party A. 

7 3. A computes K = (a y ) a (pB) x = a ay+bx . A also computes a value h' of 

8 cryptographic hash function F(a y ,K) and verifies that this value is equal to h. 

9 

io If E attempts to interpose her identification, texte, the attack fails on 

n the modified protocols because in each case B sends the hash value F(5,K), where 5 is 

12 B's random exponential, a y , thereby binding together the values of 6 and K. E cannot 

13 subsequently replace the value of 5 with d e and compute F(5 e ,K) since E does not 

14 know K. Even though E knows <* y , this is not sufficient to extract K from the hash 

is value h. Accordingly, even if E interposes the value a ye so that the keys 20 will agree, 

16 the values h,h' will not. 

17 

is Example 2 - MTI/BO protocol 

19 In this protocol, 



20 1 . A generates a random integer x,l<x<p-2, computes (pb) x = a , and 

21 sends {<* bx ,textA} to party B. 

22 2. B generates a random integer y,l<y<p-2, computes (pA) y = a3y , and 
2 3 sends {<* ay ,textB} to party A. 

24 3. A computes K= (a°*fa* = a**> 

2 5 4. B computes K= (a bx f a y = a x+y 

26 

2 7 This protocol is vulnerable to the interloper E if, 

2 8 1. E replaces A's message {ct bx ,textA} with {a bx ,texte} to identify herself 

2 9 as the originator to the message. 

3 0 2. B sends {(pii) y ,textu} to E, who then computes 

8 



1 ((Pe) } '/' = aay and forwards {a ay ,text B } to A. 

2 3. A computes K= (a ay ) a§ a x = a x * y 

3 4. B computes K = (a bx f a y = a x + y 

4 5. A and B now share the key K, even though B believes he shares a key 

5 withE. 

6 

7 This protocol may be modified to resist E's attack as follows. 

8 1 . A generates a random integer x, 1 <x<p-2, computes (pb) x = ab \ and 

9 sends {<* bx ,text A } to party B. 

10 2. B generates a random integer y, l<x<p-2, and computes (pA) y = a3y , 

n K=(a bx ) a y =a x+y t and the value h of hash function F(a y =a x+y ). B 

12 sends {a ay ,h,textB} to A. 

13 3. A computes K=(a ay ) a x =a x+y . A also computes the value h f of hash 

14 function F (<* ay , K) and verifies that this value is equal to h. 

15 Once again, E cannot determine the session key K and so cannot 

16 generate a new value of the hash function to maintain the deception. 

17 Example 3 - MTI/CO protocol 

18 This protocol operates as follows:- 

19 1 . A generates a random integer x,l<x<p-2, computes (pb) x = abx , and 

20 sends {a bx ,textA} to party B. 

21 2. B generates a random integer y,l<y<p-2, computes (pa) v = a3y , and 

22 sends {<* ay ,textB} to party A. 

23 3. A computes K= (a ay f x = a xy 

24 4. ' B computes K= (a bx f y = a xy 

25 

2 6 The interloper E may interpose her identity as follows:- 

2 7 1. E replaces A f s message {a bx ,textA} with {ct bx ,textE} . 

2 8 2. B sends {(pE) y ,texte} to E, who then computes ((pe) 5 ") 6 * 1 = a3y and 

2 9 forwards {a ay ,text D } to A. 

9 




1 3. A computes K= (a ay f x = a xy 

2 4. B computes K = ( a bx f y = a xy 

3 5. A and B now share the key K, even though B believes he shares a key 

4 with E. 

5 

6 To avoid this attack protocol is modified as follows:- 

7 1 . A generates a random integer x,l<x<p-2, computes (pb) x = abx , and 

8 sends {a bx ,textA} to party B. 

9 2. B generates a random integer y,l<y<p-2, and computes 

10 (p A ) y = <* ay , K = (a bx f y = a xy , and value 

11 h of hash function F(a ay ,a xy ). B sends {a ay ,h,text B } to party A. 

a A * 

12 3. A comp^tes K = ( ct ay ) = a xy . A also computes the value h 1 of 

13 F(ct ay ,K) and verifies that this value is equal to h. 
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1 Example 4 - MTI/C1 protocol 

2 In this protocol:- 



3 1 . A generates a random integer x,l<x<p-2, computes (pb) 3X = aa \ and 

4 sends {a abx ,text A } to party B. 

5 2. B generates a random integer y,l<y<p-2, computes (p A ) by = a3by , and 

6 sends {a aby ,textB} to party A. 

7 3. A computes K = (a aby ) x = a abxy . 

8 4. B computes K = (a abx ) y = a abxy . 

9 



io E can act as an interloper as follows:- 



11 1. E replaces A's message {a abx ,text A } with {a aDX ,text E }. 

12 2. B sends {(pE) by ,text B } to E, who then computes ((pe)^)*' 1 = aaby and 

13 forwards {<* aby ,textB} to A. 

14 3. A computes K = (a aby ) x = a abxy . 
is 4. B computes K = (a abx ) y = a abxy . 

16 5. A and B now share the key K, even though B believes he shares a key 

17 with E. 

18 

19 To avoid this, the protocol is modified as follows:- 

20 1 . A generates a random integer x,l<x<p-2, computes (pB) ax = a3bx , and 

21 sends {ct abx ,text A } to party B. 

22 2. B generates a random integer y,l<y<p-2, and computes (p A ) by = aaby , K 
2 3 = (a abx ) y = a abxy , and 

24 h = F(a aby ,a abxy ). B sends {a aby ,h,text B } to party A. 

2 5 3. A computes K = (a aby ) x = a abxy . A also computes 

2 6 h 1 = F(a aby ,K) and verifies that this value is equal to h. 

27 

2 8 In each of the modified protocols discussed above, key confirmation 
29 from B to A is provided. 

3 0 As noted above instead of F being a cryptographic hash function other 
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1 functions could be used. For example, an option available is to choose 

2 F = gk, where e is the encryption function of a suitable symmetric-key encryption 

3 scheme, and K is the session key established. Because E cannot generate the session 

4 key K, it is similarly not able to generate the value of the function F and therefore 

5 cannot interpose for the correspondent A. 

6 The technique described above can be applied to other similar key 

7 exchange protocols, including all of the 3 infinite classes of MTI protocols called 

8 MTI-A(k), MTI-B(k) and MTI-C(k). 

9 The Goss authenticated key exchange protocol is similar to the 

10 MTI/AO protocol, except that the session key is the bitwise exclusive-OR of <* ay and 

n <* bx ; that is K = a ay © <* bx instead of being the product of <* ay and ct bx . Hence the attack 

12 on the MTI/AO protocol and its modification can be extended in a straightforward 

13 manner to the case of the Goss protocol. 

14 Similarly Yacobi's authenticated key exchange protocol is exactly the 
is same as the MTI/AO protocol, except that a is an element io£the group of units 

16 , where n is the product of 2 large primes. Again, the attack on the MTI/AO 

17 protocol and its modification can be extended in a straightforward manner to the case 

18 of the Goss protocol. 

19 A further way of foiling the interposition of E is to require that each 

20 entity prove to a trusted center that it knows the exponent of a that produces its public 

21 key P, before the center issues a certificate for the public key. Because E only knows 

22 "e" and not "ae" it would not meet this requirement. This can be achieved through 

23 zero knowledge techniques to protect the secrecy of the private keys but also requires 
2 4 the availability of a trusted centre which may not be convenient. 

2 5 Each of the above examples has been described with a 2 pass protocol 

2 6 for key authentication. One pass protocols also exist to establish a key between 

2 7 correspondents and may be similarly vulnerable. 

2 8 As an example the Nyberg-Rueppel one pass key agreement protocol 

2 9 will be described and a modification proposed. 

3 0 The purpose of this protocol is for party A and party B to agree upon a 



1 secret session key K. 

2 The system parameters for these protocols are a prime number p and a 

3 generator a of the multiplicative group Ot£ Z p . User A has private key a and public 

4 key pa = aS . User B has private key b and public key pb = ab . 

5 1. A selects random integers x and t, l<x,t<p-2. 

6 2. B recovers the value <* x mod p by computing ct s (p A ) r mod p and then 

7 computes the shared session key K=(r o.x) b ' = a 1 mod p. 

8 

9 If interloper E wishes to have messages from A identified as having 

10 originated from herself, E selects a random integer e, l<e<p-2, computes pe = a< \ and 

11 gets this certified as her public key. 

12 1 . E intercepts A f s message {r,s,textA> and computes <* x = a s (p A ) r and <* bt 

13 = ra x . 

14 2. E then selects a random integer x\ l<x*<p-2, computes r-abt a 

15 mod p and s-x'-r'e mod (p-1). 

16 3. E sends {r'^texte} to B. 

17 4. B recovers the value mod p by computing <* s (pe) f mod p and then 

18 computes K= (r' a* ) = a' mod p. 

19 5. A and B now share the key K, even though B believes he shares a key 

20 with E. 

21 

22 To foil such an attack the protocol is modified by requiring A to also 

2 3 transmit a value h of F(pa,K), where F is a hash function, an encryption function of a 

2 4 symmetric-key system with key K or other suitable cryptographic function. The 

2 5 modified protocol is the following. 

2 6 1 . A selects random integers x and t, 1 <x,t<p-2. 

2 7 2. A computes r = (pu) lct " x mod p, s = x - ra mod 

2 8 (p-l)> session key K = ct l mod p and the value h of hash function 

29 F(p A ,K). A sends {r,s,h,textA} to B. 

13 



1 3. B recovers the value ct x mod p by computing aS (pA> r mod p and then 

2 computes the shared session key K=(rct x ) = a 1 mod p. B also 

3 computes the value h" of function F(pa,K) and verifies that this value is 

4 equal to h. 

5 Again therefore by binding together the public information n and the 

6 session key K in the hash function, the interposition of E will not result in identical 

7 hash functions h,h\ 

8 In each case it can be seen that a relatively simple modification to the 

9 protocols involving the binding of public and private information in a cryptographic 

10 function foils the interposition of interloper E. 

11 All the protocols discussed above have been described in the setting of 



12 the multiplicative group Z p m However, they can all be easily modified to work in 

13 any finite group in which the discrete logarithm problem appears intractable. Suitable 

14 choices include the multiplicative group of a finite field (in particular the finite field 

15 GF(2 n ), subgroups of ae Z p of order q, and the group of points on an elliptic curve 

16 defined over a finite field. In each case an appropriate generator a will be used to 

17 define the public keys. 

18 The protocols discussed above can also be modified in a 

19 straightforward way to handle the situation whert-tsach user picks their own system 

20 parameters p and a (or analogous parameters if a group other than Z is used). 

21 Further implementations are shown schematically in figures 2 through 7. A 

22 different notation is utilized but it will be understood that this notation may be 
2 3 mapped to that of the previous embodiments. 

24 

2 5 Referring to figure 2, a mutual public key authenticated key agreement protocol is 

2 6 complemented between a correspondent A shown on the left hand side of the figure 

27 and a correspondent B shown on the right hand side. Correspondent A has a public- 

2 8 private key pair Pa,Sa respectively and similarly correspondent B has a public private 
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i Key pair Pb,Sb. 
2 

3 As a first step, correspondent A generates a session private key as a random number 

4 RNDa and computes a corresponding public session key Ga =Fa (RNDa). The 

5 function Fa is a cryptographic one way function, typically an exponention by the 

6 group generator, such as a point multiplication in an elliptic curve cryptosystem. 

7 

8 The public session key Ga is forwarded to correspondent B who generates- . 

9 corresponding parameters of a session private key RNDb and the exponent Gb. 

10 

11 The correspondent B computes a session key K as a function of A's public 

12 information Ga,Pa AND B's private information RNDb,Sb. A corresponding key K' 

13 can be computed by A using the private information of A and the public information 

14 ofB namely f(RND A ,GB,SA,PB). 

15 

16 After correspondent B has generated the key K, he compiles a string (GA//GB//IdA) 

17 where Wa is a string that identifies A. The concatenated string is hashed with a 

18 cryptographic function hk which is a keyed hash function that uses the key K to yield a 

19 string hastiB. 

20 

21 The string hashs is forwarded to correspondent A together with Ha and Gb. 

22 

2 3 Upon receipt of the message from B, correspondent A computes the key K' as 

2 4 described above. Correspondent A also computes a hash, hashverifys from the string 

25 (GB//G A //IdA) using the hash function keyed by the key K\ correspondent A checks 

2 6 that the hashes verify to confirm the identity of the keys K,K\ 

27 

•2 8 Correspondent A then computes a hash hit using the key K on the string (GaZ/Gb/ZHb) 

2 9 and forwards that together with Hb correspondent B. Correspondent B similarly 

3 0 computes a hashverifyA using the keyed hash function hit on the same string and 
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i verifies that hashA =hashverifyA. 
2 

3 A similar protocol is shown in figure 3 to implement a mutual symmetric key 

4 authentication protocol In this protocol the correspondents share a key K obtained 

5 over a secure channel. The correspondents A.B, each generate a random integer which 

6 is used as the session public key of A and B respectively. Thereafter the exchange of 

7 information and verification proceeds as above with respect to figure 2 with the 

8 shared secret key being utilised in the keyed hash functions. 

9 

io A full mutual public key authenticated protocol is shown in figure 4. An initial 

n exchange of the public keys PaJPb is performed over an authenticated channel 

12 followed by the exchange of information as shown in the protocol of figure 4. In this 

13 case the correspondent A sends Ga computed as described above with respect to 

14 figure 2, together with a string x* that A wants confirmation of receipt by B. 

15 Correspondent B computes the key K as in figure 2 and also generates a pair of strings 

16 yi,y2 which B wants to have authenticated by A and receipt confirmed by A 

17 respectively. The strings are sent to A with the hash hashB and identity IdA.The hash 

18 hashB is performed on a string including the message X2 and the string yi wants 

19 authenticated. 

20 

21 Correspondent A computes the key K and verifies the hash as before. This also 

22 confirms receipt of X2 by B. 

23 

2 4 Correspondent A in turn generates strings zi,Z2 where zi is a string that A wants 

2 5 authenticated by B and Z2 is a string that may be used in a subsequent stage of the 

2 6 protocol described below. The strings, zi and y2 together with the identifying 

2 7 information of B, IdB, are included in the string that is hashed with the key K to 

2 8 provide the string hashA- this is sent together with the identitiy of B and the strings 

2 9 zi,Z2 to the correspondent B who can verify the hashes as before, thereby confirming 

3 0 receipt of y2 and authenticating z\. 
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1 

2 Thus the exchange of information is exchanged in an authenticated manner and a 

3 common key obtained that allows subsequent exchange of correspondence on a secure 

4 channel. 

5 

6 With the protocol described in figure 4 it is possible to implement a mutual public key 

7 authenticated key agreement protocol by letting the strings X2,yi,y2,zi,Z2 all be empty 

8 strings. Alternatively, a mutual public key authenticated key agreement protocol with 

9 key transport can be implemented by using X2 as a string that is assumed to represent 
10 EK(k). Correspondent B can compute the value of K and hence retrieve the notional 
n value of k from the string. He can use this as his CRP,. The values of yi may be used 

12 to represent Eic(k2i) and zi as Ei<(ki2) where k2i and ki2 are different keys for 

13 communication or other secret information to be shared between the correspondents. 

14 In this case yi and Z2 are empty strings. In this way there is a key agreement on a 

15 shared key Kab together with authenticated key transport of the keys k2i and 

16 ki2between the correspondents. Moreover, if additional information is provided in the 

17 X2 and y2 then confirmation of proper receipt is also obtained. 

18 

19 The protocol of figure 4 may also be used to increase efficiency in successive sessions 

20 by using the string Z2 to pass the information exchanged in the first pass of the next 

21 session. Thus as shown in figure 5, the string Ga,X2 is sent as Z2 in the previous 

22 session. The protocol then proceeds from correspondent B as before. Correspondent B 

23 may also take advantage of this facility by including the information GB,yi for the next 
2 4 session in the exchange as y2. 

25 

2 6 The mutual public key authenticated key agreement protocol may also be adapted for 

2 7 symmetric key implementations as shown in figure 6. In this case, as in figure 3 

2 8 above, the key generation is omitted as the correspondents have a shared key obtained 

2 9 over a secure channel. 

30 
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Similarly, the protocol of figure 6 may be modified as illustrated in figure 7 to take 
advantage of the exchange of information in a previous session, similar to that of 
figure 5. 

It will be seen therefore that a number of versatile and flexible protocols can be 
developed from the general protocol to meet particular needs. These protocols may 
implement elliptic curve cryptography or operate in Z p as preferred. 
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i WE CLAIM 

2 

3 1 . A method of authenticating a pair of correspondents A,B to permit 

4 exchange of information therebetween, each of said correspondents having a 

5 respective private key a,b and a public key p A ,PB derived from a generator a and 

6 respective ones of said private keys a,b, said method including the steps of 

7 i) a first of said correspondents A selecting a first random integer x and 

8 exponentiating a function f(a) including said generator to a power g (x) to provide a 

9 first exponentiated function f(a) g(x) ; 

10 ii) said first correspondent A forwarding to a second correspondent B a message 

n including said first exponentiated function f(a) g(x) ; 

12 iii) said correspondent B selecting a second random integer y and exponentiating a 

13 function f (a) including said generator to a power g (y) to provide a second 

14 exponentiated function f (a) 8(y) ; 

15 iv) said second correspondent B constructing a session key K from information 

16 made public by said first correspondent A and information that is private to said 

17 second correspondent B, said session key K also being constructive by said first 

18 correspondent A for information made public by B and information that is private to 

19 said first correspondent A; 

20 v) said second correspondent B generating a value h of a function F[6,K] 

21 where F[6,K] denotes a cryptographic function applied conjointly to 6 and K and 

22 where 6 is a subset of the public information provided by B thereby to bind the values 
2 3 of 6 and K; 

24 vi) said second of said correspondents B forwarding a message to said first 

25 correspondent A including said second exponential function f(a) 8(y> and said value h 
2 6 of said cryptographic function F[5,K]; 

2 7 vii) said first correspondent receiving said message and computing a session key 

2 8 K 1 from information made public by said second correspondent B and private to said 

2 9 first correspondent A; 

3 0 viii) said first correspondent A computing a value h* of a cryptographic function 
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1 F[d,K'];and 

2 ix) comparing said values obtained from said cryptographic functions F to 

3 confirm their correspondence. 

4 

5 2. A method of claim 1 wherein said message forwarded by said first 

6 correspondent includes an identification of the first correspondent. 

7 

8 3. A method according to claim 1 wherein said message forwarded by 

9 said second correspondent includes an identification of said second correspondent. 

10 

n 4. A method according to claim 3 wherein said message forwarded by 

12 said first correspondent includes an identification of the first correspondent. 

13 

14 5. A method according to claim 1 wherein said first function f(a) 

is including said generator is said generator itself. 

16 

17 6. A method according to claim 1 wherein said second function f (a) 

18 including said generator is said generator itself. 

19 

20 7. A method according to claim 6 wherein said first function f(a) 

21 including said generator is said generator itself. 

22 

238. A method according to claim 1 wherein said first function including 

24 said generator f(a) includes said public key p B of said second correspondent. 

25 

2 6 9. A method according to claim 1 wherein said second function including 
27 said generator fa includes said public key p A 0 f said first correspondent. 

28 

29IO. A method according to claim 1 wherein said cryptographic functions F 

3 0 are hashes of 6 and K. 
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2 1 1 . A method of transporting a key between a pair of correspondents A,B 

3 to permit exchange of information therebetween, each of said correspondents having a 

4 respective private key a,b and a public key p A ,pB derived from a generator a and 

5 respective ones of said private keys a,b, said method including the steps of 

6 i) a first of said correspondents A selecting a first random integer x and 

7 exponentiating a function f(a) including said generator to a power g (x) to provide a 

8 first exponentiated function f(a) g{x) ; 

9 ii) said first correspondent A forwarding to a second correspondent B a message 
10 including said first exponentiated function f(a) 8(x) ; 

n iii) said second correspondent B constructing a session key K from information 

12 made public by said first correspondent A and information that is private to said 

13 second correspondent B, said session key K also being constructive by said first 

14 correspondent A from information made public by B and information that is private to 

15 said first correspondent A; 

16 iv) both of said first correspondent A and said second correspondents B 

17 computing a respective value h,h f of function F[6,K] where F[6,K] denotes a 

18 cryptographic function applied to 6 and K and where 6 is a subset of the public 

19 information provided by one of said correspondents; 

20 v) at least one of said correspondents comparing said values h,h f obtained from 

21 said cryptographic function F to confirm their correspondence; 

22 

23 12. A method of claim 1 1 wherein said message forwarded by said first 

24 correspondent includes an identification of the first correspondent. 

25 

26 13. A method according to claim 1 1 wherein said message forwarded by 

27 said first correspondent includes said value obtained from said cryptographic function 

2 8 by said first correspondent. 

29 

3 0 14. A method according to claim 1 1 wherein said values obtained from 




1 said cryptographic functions are obtained from a hash of said public information and 

2 said session key K. 

3 

4 15. A method according to claim 1 1 wherein said first correspondent 

5 selects a pair of random integers x and t and generates a session key K as f(a)* (t) , and 

6 generates a value r from said first exponentiated function f(a) 8(x) which includes a 

7 factor exponentiating said public key pb of said second correspondent B with said 

8 random integer t to be of the form p B E(t)a8(x) . 

-9 

io 16. A method according to claim 15 wherein said first correspondent A 

n generates a value s from a combination of said random integer x and said private key a 

12 and forwards said value of r and said value of s to said second correspondent B to 

13 permit said second correspondent B to recover said session key K using the private 

14 key b of said second correspondent B. 

15 

16 17. A method according to claim 16 wherein said random integer x and 

17 said private key a are combined to produce s such that s=x-ra mod (p-1). 

18 

19 18. A method according to claim 17 wherein said cryptographic function F 

20 is a hash of said public information 5 and said session key K. 

21 

22 19. A method according to claim 18 wherein said public information 6 is 

2 3 the public key pa of said first correspondent A. 
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i ABSTRACT 

2 

3 A key establishment protocol includes the generation of a value of 

4 cryptographic function, typically a hash, of a session key and public information. This 

5 value is transferred between correspondents together with the information necessary to 

6 generate the session key. Provided the session key has not been compromised, the 

7 value of the cryptographic function will be the same at each of the correspondents. 

8 The value of the cryptographic function cannot be compromised or modified without 

9 access to the session key. 

10 
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